# Shared environment for the local IdP + SP federation (docker compose reads it).

# --- Hostnames (drive Caddy TLS, base URLs, and entityIDs) -----------------
IDP_DOMAIN=idp.gamlastan.sverige
SP_DOMAIN=sp.gamlastan.sverige

# --- IdP: Service Provider metadata resolution -----------------------------
# SWAMID QA MDQ resolves QA SPs on demand (signature-verified). Local files in
# django-idp/data/metadata (e.g. the SP's own metadata via `just link`) are
# tried first and trusted as provided.
SAML_IDP_MDQ_URL=https://mds.swamid.se/qa/
SAML_IDP_METADATA_CERT=/data/swamid-signing.pem
# Home-org scope for the IdP's scoped attributes (eduPersonPrincipalName etc.):
SAML_IDP_SCOPE=gamlastan.sverige

# --- SP: discovery + IdP metadata resolution -------------------------------
# Federation mode: leave SAML_SP_IDP_ENTITYID empty so login sends users to the
# discovery service to choose any IdP; IdPs are resolved from the SWAMID QA MDQ
# (signature-verified against the cert). Set SAML_SP_IDP_ENTITYID to skip
# discovery and always use one IdP.
SAML_SP_IDP_ENTITYID=
SAML_SP_DISCOVERY_URL=https://ds.qa.swamid.se/ds/
SAML_SP_MDQ_URL=https://mds.swamid.se/qa/
SAML_SP_METADATA_CERT=/data/swamid-signing.pem

# --- SP descriptive metadata (required by SWAMID; fill before registering) -
# Display name, description, and org display name contain spaces; their defaults
# live in docker-compose.yml (`just`'s dotenv parser rejects unquoted spaces in
# .env). To override them, edit the defaults in docker-compose.yml. The no-space
# contact emails (required by SWAMID: technical, support, REFEDS security) go here:
SAML_SP_TECHNICAL_EMAIL=technical@gamlastan.sverige
SAML_SP_SUPPORT_EMAIL=support@gamlastan.sverige
SAML_SP_SECURITY_EMAIL=security@gamlastan.sverige

# --- Demo accounts (IdP) ---------------------------------------------------
# DEMO_PASSWORD=gamlastan
# DJANGO_SECRET_KEY=change-me
